| From ac00333e02a736a09f4beca0c4893c2bc941cee5 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 13 Mar 2024 13:17:55 +0300 |
| Subject: wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() |
| |
| From: Rand Deeb <rand.sec96@gmail.com> |
| |
| [ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ] |
| |
| The 'index' variable in the rs_fill_link_cmd() function can reach |
| LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This |
| variable is used as an index for the lq_cmd->rs_table array, which has a |
| size of LINK_QUAL_MAX_RETRY_NUM, without proper validation. |
| |
| Modify the condition of the inner loop to ensure that the 'index' variable |
| does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any |
| potential overflow issues. |
| |
| Found by Linux Verification Center (linuxtesting.org) with SVACE. |
| |
| Signed-off-by: Rand Deeb <rand.sec96@gmail.com> |
| Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com |
| Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c |
| index f4a6f76cf193..e70024525eb9 100644 |
| --- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c |
| +++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c |
| @@ -2904,7 +2904,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv, |
| /* Repeat initial/next rate. |
| * For legacy IWL_NUMBER_TRY == 1, this loop will not execute. |
| * For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */ |
| - while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) { |
| + while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) { |
| if (is_legacy(tbl_type.lq_type)) { |
| if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) |
| ant_toggle_cnt++; |
| -- |
| 2.39.5 |
| |
